Cursor’s Denylist Exposes The Risks Of Agentic AI

Cursor, an AI-based code editor, uses a denylist to prevent unauthorized commands from being executed by its AI agents. However, researchers found four ways to bypass the denylist, including obfuscation, subshells, scripts, and exploiting Bash’s double quote interpretation. Until Cursor deprecates the denylist in version 1.3, users are advised to disable auto-run, switch to allowlist mode, and use external security tools.